RFR [11] 8207846: Generalize the jdk.net.includeInExceptions security property

Chris Hegarty chris.hegarty at oracle.com
Fri Jul 20 15:08:21 UTC 2018


Roger,

> On 20 Jul 2018, at 15:36, Roger Riggs <roger.riggs at oracle.com> wrote:
> 
> Hi Chris,
> 
> It is important to be clear about how whitespace is treated and within the java.security file
> there are other uses that explicitly define how whitespace is used.

Right, and the usages are already inconsistent. Nothing we can
do about that now.

> I am more concerned about how command line properties are understood and used how we have to document them.
> Allowing whitespace quickly gets bogged down in how shells handle quotes, telling people they have to
> quote them and when/whether you have to quote the quotes.

You cannot disallow whitespace, simple ignore them or consider
them part of the value.

> Having a consistent treatment of command line and security properties keeps the
> story simple and easier to support.

This file is already inconsistent, trimming happens in some cases.
Whitespaces are either trimmed, ignored, or considered as like
any other character.

> The jdk.serialFilter property had the same issue and is explicit in the java.security file
> that spaces are just another character and are not treated specially.

This is a reasonable position.

> Its a slippery slope, if we start compensating/ignoring whitespace in some properties
> then we will have to keep explaining how some are treated differently.
> I would keep the original non-whitespace description.

Original: "This property may be set to one or more values,
separated by commas, and with no white-space”

This is ambiguous, and needs to be clarified. Surely, it is
better to use the same wording as the serial filter:

 "Whitespace is significant and is considered part of the value."

> Case-insensistive compares are another slippery slope but make a bit more sense for usability.

The complete updated text:

#
# Enhanced exception message information
#
# By default, several exception messages do not include potentially sensitive
# information such as file names, host names, or port numbers. This property may
# be used to enable categories of enhanced information in exception messages.
# The property accepts one or more comma separated values, each of which
# represents a category of enhanced exception message information to enable.
# Values are case-insensitive. Whitespace is significant and is considered part
# of the value. Unknown values are ignored.
#
# The categories, to enable enhanced exception message information, are:
#
#  hostInfo - IOExceptions thrown by java.net.Socket and also the socket types
#             in the java.nio.channels package will contain enhanced exception
#             message information
#
# The property setting in this file can be overridden by a system property of
# the same name, with the same syntax and possible values.
#
#jdk.includeInExceptions=hostInfo

-Chris.



More information about the security-dev mailing list